The ability to isolate an endpoint is invaluable when working through the containment phase of incident response. Isolating an endpoint prevents all network communication, with the exception of communication to the EDR/EPP platform and any configured exclusions.

Endpoint isolation can only be performed by users with the Responder role.

Isolating an endpoint

To isolate an endpoint:

1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
2. Click Isolate Endpoint. 
3. Read and acknowledge the resulting prompt.

To isolate an endpoint referenced by a detection:

1. View the detection using ⌘-K or by clicking Confirmed Threats and filtering for the detection.
2. At the top of the detection timeline, click Respond.
3. Click Isolate Endpoint. 
4. Read and acknowledge the resulting prompt.

Removing isolation from an endpoint

Once a threat has been remediated, isolation can be removed to return the endpoint to normal operation.

To remove isolation from an endpoint:

1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
2. Click Disable Isolation.
3. Once the endpoint checks in with the server, it will restore normal network operation.

What happens if the endpoint is not online?

You can request isolation of—or remove isolation from—an endpoint that is offline. The request will be queued and executed when the endpoint comes back online and checks in with the EDR/EPP server.